Papers and Reports

CyberGreen Metrics Position Paper: Shades of Green [pdf]

An analysis by Dr. Dan Geer, CyberGreen stats special advisor, on the direction of CyberGreen’s metrics.

CyberGreen Statistics Platform v.2 Overview and Requirements [pdf]

Using lessons learned from v.1, along with end user expectations, an overview of the architecture for Statistics platform v.2 and its requirements have been prepared by L. Aaron Kaplan and Dr. Rufus Pollock.

Concept Paper [pdf]

We developed our original concept paper in 2014, which you can find by clicking on the title above. Visit our current program description to learn what we’re up to now.

Research [pdf]

Cybersecurity metrics, specifically for Cyber Health, have long suffered from a lack of statistical rigor. The origin of this omission is multi-fold, including issues in collection, the inability to cross-compare data, and a failure to apply normalization techniques. The absence of statistically meaningful cybersecurity metrics prevents the ability to compare organizations and efforts over time, and blocks an effective evaluation of cybersecurity investments.

Internet Infrastructure Health Metrics Framework [pdf]

This report is an analysis and evaluation of existing risks to Internet infrastructure from a public health standpoint. The ultimate goal of the project is to create country-level “scorecards”. This report sets the foundation for achieving that through the exploration of several models, the identification of six components that we assessed as being vital to Internet infrastructure, the selection of indicators that we have identified as being relevant to assessing the health of those components, the data that will be collected, and the preliminary metrics we will use to conduct measurements..

As digital societies continue to evolve, digital economies must increasingly depend on resilient, trustworthy, and safe Internet infrastructure. We focus on understanding risks to a nation’s Internet infrastructure as a subset of the cybersecurity risk a nation state is subjecting itself to.

Internet public health relates to enterprise cybersecurity much like public health relates to medicine. In defining public health for Internet infrastructure, we have created a new opportunity to focus on prevention and mitigation on a global scale. Many problems faced by public and private sector entities are symptoms of unhealthy technical practices, contributors to an unhealthy Internet ecosystem, or both. A collective effort to target such underlying causes of systemic cyber risk (risk factors), rather than merely treating its symptoms, will have a far-reaching impact in establishing confidence in the safety and resiliency of the global Internet ecosystem.

The Internet Infrastructure Health Metrics Framework will allow nation states to measure their overall risk, understand how it changes over time, and compare to other states using a data-driven approach and a public health model. The scorecard will enable states to understand and contextualize the state of their internet infrastructure in a public health framework. Using a model to measure the public health of Internet infrastructure is new, and the work has come with a series of challenges and outstanding questions. More research must be done to uncover the right metrics, measurements, and normalization techniques needed to tell the story in the proper context and enable thoughtful peer comparison.

Addressing the challenges and questions related to this work involves buy-in and cooperation from multiple stakeholders. We focus our recommendations on two subsets: recommendations for policymakers and recommendations for further research by organizations like ERIA and CyberGreen.

Recommendations for policymakers:

  • Conduct a census of critical Internet infrastructure in your country.
  • Evaluate national standards for security advice and the consistency and character of that advice (i.e. goal-centric? Activity-centric?).
  • Mandate certain practices for companies to report security breaches.
  • Create standards for incident and near miss reporting and investigation.

Recommendations for further research:

  • Invest in models and datasets that illuminate risk and can be measured at Internet scale rather than enterprise scale.
  • Investigate reasons that organizations are not acting on security advice.
  • Develop a fuller model of the mapping between cybersecurity issues and public health issues.
  • Refine definitions of critical Internet infrastructure.
  • Create a formula for an Internet infrastructure health scorecard and engage relevant communities.
  • Run a pilot to measure Internet infrastructure health.
  • Create a set of evaluation criteria to allow assessment of observed measures.